SOUTH HADLEY – At a recent South Hadley board meeting, the town’s credit committee touched on what might have seemed a boring topic: liability insurance.
But the rise in insurance premiums the committee questioned indicates an urgent problem facing cities and towns across the state: potential cyber attacks from hackers seeking to lock down municipal data in order to extract ransom. Such “ransomware” attacks have reached “pandemic” levels, some experts have warned, as municipalities grapple with the growing likelihood that their systems will be the next to be breached by hackers.
“It’s really not a reflection on South Hadley,” said city administrator Michael Sullivan in an interview, noting that the city has stepped up its cybersecurity insurance coverage, doubling premiums to 32 $ 000 per year. “It’s a reflection on where we are in America right now.”
Cyber security isn’t the only reason South Hadley’s liability insurance costs have increased; the cost of police compensation has also increased for municipalities, Sullivan said. But when it comes to preparing for the possibility of getting hacked, South Hadley is far from alone. Municipalities in the region are trying to improve their own cybersecurity as hackers become more daring and sophisticated.
“Incidents of hacking, breaches, attacks, it’s just on the rise,” said Geoffrey Beckwith, executive director and CEO of the Massachusetts Municipal Association. These attacks are not just happening in Massachusetts, but around the world, he said.
Given this reality, some municipalities have increased their cybersecurity insurance – if they can. Beckwith said many insurance companies have withdrawn the cybersecurity coverage options they offer, given the dramatically increased risk of being hacked. Other cities and towns are making significant efforts to update their digital infrastructure and training to prevent attacks from happening in the first place.
In Easthampton, the city is doing both, expanding its insurance coverage but also investing in patching vulnerabilities by updating its hardware and software. Mayor Nicole LaChapelle said the city’s digital infrastructure is just as important as what people generally think of as “infrastructure” – the city’s roads and what lies below – but doesn’t get as much attention.
“Funding for these systems is woefully inadequate,” said LaChapelle.
She said the city will spend hundreds of thousands of dollars over the next five years to upgrade all of its systems. This work is vitally important, she added.
On Monday, in the basement of Easthampton’s municipal building, city technical staff stood in front of some of the servers the city uses to store data. Karin Moyano Camihort, the city’s IT director, explained that officials determined what needs to be renovated in order to provide better service to the city’s residents – see their water consumption when they pay their bills online, for example example – and to fight against cyber attacks.
“It costs money,” Moyano Camihort said. “But the cost of an attack is much higher.”
And these attacks are much more common than you might think for municipalities, said Noah DuBoff, the city’s IT technician.
“We are constantly under attack,” said DuBoff. None of these attacks have yet succeeded in Easthampton, but there have been examples of public entities hacked in recent years in western Massachusetts.
Chicopee public schools were hit by a ransomware attack in 2019, for example, and Sullivan revealed that South Hadley’s Fire District 1 – which is separate from the city – has been hit by a similar attack in recent years.
Stephanie Helm, director of the state’s quasi-public MassCyberCenter, said municipalities and other institutions that provide people with life-saving services – health systems and schools, for example – are at increased risk of facing a crisis. attack from hackers who suspect that they will be more likely to pay a ransom to get these services to work quickly again.
“They know that municipalities have an incentive to play ball, so to speak, if they get caught in a ransomware attack,” Helm said. A career naval officer who has held leadership positions in cyberspace and information operations, Helm said municipalities can also suffer from resource constraints when it comes to updating systems.
The state launched the MassCyberCenter, part of the Mass Tech Collaborative, in 2017. The organization provides resources to organizations, including municipalities, to support their cyber resilience. Helm said it starts with developing a plan in the event of an attack. Such plans save organizations valuable time knowing what they will do to “get out of the under” a cyber attack instead of paying the ransom.
The state also provided subsidy programs for training through its executive office of technology and security services. Moyano Camihort said Easthampton took one of these trainings, which taught employees how to avoid opening the city up to an attack by falling into an email “phishing attack”, which accounts for the vast majority of all. the attacks they see. However, that kind of effort needs to be done on a regular basis, Moyano Camihort said.
For Helm, cybersecurity issues need to attract much more municipal attention.
“I really think for years that was seen as the IT glitch, and I think the way the cyber threat has gotten really very professional and very deadly in terms of efficiency and focusing on hitting us where it is. hurts, I think it’s a leadership issue for city leadership, “she said.” We really need mayors and city officials to really understand the potential that cybersecurity can be a disaster if it hits your city. “
Helm said city leaders should talk about cybersecurity in public, promote what their city is doing to be more resilient, and what the public can do to help.
In Easthampton, LaChapelle said the city has been working hard to improve its own systems, but more help is needed.
“One major thing I would like to see from the state, the federal government, would be to offset the financial cost of putting all your documents in the cloud,” she said. “It may cost thousands of dollars a month to do it, but it is the safest way to do it.”
The stakes could not be higher for cities and towns, especially at a time when a large part of a municipality‘s services rely on its digital infrastructure.
“It’s not if it’s going to happen, it’s when,” Moyano Camihort said.
Dusty Christensen can be contacted at [email protected]